docs: document datastoreTLSSecretName mount path and usage

README.md

@@ -84,6 +84,55 @@ zed --insecure --endpoint=localhost:50051 --token=averysecretpresharedkey schema
 - Learn how to use SpiceDB via the [docs](https://docs.authzed.com/) and [playground](https://play.authzed.com/).
 - Ask questions and join the community in [discord](https://authzed.com/discord).
 
+## Configuration
+
+### Datastore TLS Certificates
+
+If your datastore requires TLS client certificates for authentication, you can configure SpiceDB to use them via the `datastoreTLSSecretName` configuration option.
+
+When configured, the operator will mount the specified secret's contents at `/spicedb-db-tls` (read-only) in both the SpiceDB pods and migration jobs. You can then reference these certificate files in your `datastore_uri` connection string.
+
+#### Example: PostgreSQL/CockroachDB with TLS
+
+1. Create a Kubernetes secret containing your TLS certificates:
+
+```console
+kubectl create secret generic my-db-tls \
+  --from-file=ca.crt=/path/to/ca.crt \
+  --from-file=tls.crt=/path/to/client.crt \
+  --from-file=tls.key=/path/to/client.key
+```
+
+1. Configure your SpiceDBCluster to use the secret:
+
+```yaml
+apiVersion: authzed.com/v1alpha1
+kind: SpiceDBCluster
+metadata:
+  name: production
+spec:
+  config:
+    datastoreEngine: cockroachdb
+    datastoreTLSSecretName: my-db-tls
+  secretName: production-spicedb-config
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: production-spicedb-config
+stringData:
+  datastore_uri: "postgresql://user@db.example.com:26257/spicedb?sslmode=verify-full&sslrootcert=/spicedb-db-tls/ca.crt&sslcert=/spicedb-db-tls/tls.crt&sslkey=/spicedb-db-tls/tls.key"
+  preshared_key: "your-secret-key"
+```
+
+The certificates will be available at these paths inside the SpiceDB containers:
+
+- `/spicedb-db-tls/ca.crt` - CA certificate
+- `/spicedb-db-tls/tls.crt` - Client certificate
+- `/spicedb-db-tls/tls.key` - Client private key
+
+Note: The exact SSL parameter names depend on your datastore's connection driver. Consult your datastore's documentation for the correct connection string format.
+
 ## Automatic and Suggested Updates
 
 The SpiceDB operator now ships with a set of release channels for SpiceDB.

examples/cockroachdb-tls-ingress/README.md

@@ -85,6 +85,39 @@ kubectl apply --server-side -k  .
 It is safe and may be necessary to run this multiple times if any of the resources fail to apply.
 CRDs especially may fail to create, so check the output for them.
 
+## Datastore TLS (Optional)
+
+This example configures TLS for SpiceDB's API endpoints and internal dispatch communication, but the CockroachDB database connection uses `sslmode=disable` for simplicity.
+
+If your production database requires TLS client certificates, you can configure them using the `datastoreTLSSecretName` option:
+
+1. Create a secret with your database TLS certificates:
+
+```sh
+kubectl create secret generic db-tls-certs \
+  --namespace spicedb \
+  --from-file=ca.crt=/path/to/db-ca.crt \
+  --from-file=tls.crt=/path/to/db-client.crt \
+  --from-file=tls.key=/path/to/db-client.key
+```
+
+1. Add `datastoreTLSSecretName` to the SpiceDB cluster config in `spicedb/spicedb.yaml`:
+
+```yaml
+spec:
+  config:
+    datastoreTLSSecretName: db-tls-certs
+```
+
+1. Update the `datastore_uri` in the secret to reference the mounted certificates at `/spicedb-db-tls`:
+
+```yaml
+stringData:
+  datastore_uri: "postgresql://root@cockroachdb.cockroachdb:26257/defaultdb?sslmode=verify-full&sslrootcert=/spicedb-db-tls/ca.crt&sslcert=/spicedb-db-tls/tls.crt&sslkey=/spicedb-db-tls/tls.key"
+```
+
+See the main [README](../../README.md#datastore-tls-certificates) for more details.
+
 ## Connect with `zed`
 
 If you haven't already, make sure you've installed [zed](https://github.com/authzed/zed#installation).